• Home  
  • Critical WordPress RCE Vulnerability wp2shell Exposes Millions
- Cybersecurity

Critical WordPress RCE Vulnerability wp2shell Exposes Millions

WordPress core flaw wp2shell lets unauthenticated attackers run code. Learn the CVEs, affected versions, patches, and what developers must do now.

Critical WordPress RCE Vulnerability wp2shell Exposes Millions

It’s shocking that an anonymous HTTP request can run code on a WordPress site. That’s the core of the new WordPress RCE vulnerability dubbed wp2shell, which surfaced on July 18, 2026. The bug lives in the core, so even a bare‑metal install with zero plugins is exploitable until the auto‑update forced patches landed.

Key Takeaways

  • Two linked CVEs (CVE‑2026‑63030 and CVE‑2026‑60137) enable unauthenticated remote code execution.
  • Versions 6.9.0‑6.9.4 and 7.0.0‑7.0.1 are fully vulnerable; 6.8.0‑6.8.5 only suffer a SQL injection.
  • Patch released in WordPress 6.9.5 and 7.0.2; 7.1 beta2 already includes both fixes.
  • Persistent object cache (Redis/Memcached) blocks the code‑execution chain, but not the underlying injection.
  • Rapid7 will add authenticated scans on July 20, but no exploitation is confirmed as of July 18.

Historical Context

WordPress introduced its REST API in 2016, giving developers a programmatic way to interact with core objects. By the time version 5.6 shipped in 2020, the /wp-json/batch/v1 endpoint was added to let callers bundle multiple sub‑requests. That feature was meant to reduce round‑trips for mobile apps and headless front‑ends. Over the next few years, the batch endpoint saw modest adoption but never became a “must‑use” part of the platform.

Security research around the REST API has been ongoing. Earlier bugs, such as the 2022 privilege escalation issue, taught the community that even well‑reviewed code paths can hide logic errors. Those lessons set expectations for how quickly WordPress would respond when a critical flaw emerged.

When the wp2shell chain was disclosed, it landed amid a broader push for automatic core updates. WordPress had already forced updates for several high‑severity vulnerabilities in 2025, and the new patches followed that same philosophy. The timeline—from discovery to public advisory—spanned roughly two weeks, a speed that matches the project’s recent security cadence.

Understanding the WordPress RCE Vulnerability (wp2shell)

We’re seeing two bugs stitched together. CVE‑2026‑63030 is a REST API batch‑route confusion, while CVE‑2026‑60137 is a SQL injection hidden in WP_Query’s author__not_in parameter. When chained, an attacker can send a single unauthenticated request that walks past the REST allow‑list and lands raw input in a database query, ultimately giving remote code execution.

How the Batch‑Route Confusion Works

WordPress’s /wp-json/batch/v1 endpoint has shipped since version 5.6 in 2020. It lets a caller bundle several sub‑requests into one payload and tracks them in two parallel arrays. A glitch in version 6.9 causes one sub‑request’s error to shift the arrays out of sync, so a later sub‑request runs under the handler of a previous one. That misalignment is the “confusion” that lets the attacker’s payload slip past the allow‑list.

Why the SQL Injection Matters

The injection lives in WP_Query’s author__not_in argument. If you hand it a string instead of an array, the type check that expects an array gets bypassed, dropping the raw value straight into the SQL query. That bug alone (CVE‑2026‑60137) has a CVSS score above 9.1, marking it Critical.

Version Ranges and Patch Timeline

Only certain releases expose the full RCE chain. The injection exists from 6.8 onward, but the batch‑route confusion starts at 6.9. That means:

  • 6.8.0‑6.8.5: SQL injection only, fixed in 6.8.6.
  • 6.9.0‑6.9.4: Full RCE chain, fixed in 6.9.5.
  • 7.0.0‑7.0.1: Full RCE chain, fixed in 7.0.2.

WordPress shipped the patches on Friday, pushing 6.9.5 and 7.0.2 via its forced‑updates mechanism. The company hasn’t confirmed whether sites that disabled auto‑updates received the push, so you’ll need to verify your version manually.

Real‑World Impact and Exploit Availability

Searchlight’s Adam Kues discovered the batch‑route bug and reported it through HackerOne. The writeup, posted under the name wp2shell, claims the attack has “no preconditions and can be exploited by an anonymous user.”

“no preconditions and can be exploited by an anonymous user”

That language matches the source’s description and underscores why the flaw is alarming.

Even though the proof‑of‑concept is now public on GitHub, there are no confirmed exploits in the wild as of July 18. The vulnerability isn’t on CISA’s KEV catalog, which only lists confirmed exploitation. Still, the fact that a working PoC exists and the bug hits default installations makes the risk feel immediate.

Mitigation Nuances: Cache Layers and Scanners

Cloudflare notes that the code‑execution path only works when a site isn’t running a persistent object cache. A default WordPress install doesn’t have Redis or Memcached, so most sites remain exposed. Adding a persistent cache isn’t a fix for the SQL injection, but it does blunt the RCE chain.

Rapid7 announced that its InsightVM and Nexpose scanners will start performing authenticated checks for these CVEs on July 20. That timing gives admins a narrow window to patch before automated scans flag their sites.

What This Means For You

If you can’t update today, the only reliable mitigation is to block anonymous access to the /wp-json/batch/v1 endpoint. Searchlight’s site offers a checker at wp2shell.com, which can help you confirm whether your site is vulnerable.

Developers should also audit any custom code that touches WP_Query’s author__not_in argument, ensuring they pass an array as intended. Even with a persistent cache, the injection could still be used for data exfiltration or privilege escalation.

In short, the wp2shell chain is a reminder that core bugs can be as dangerous as third‑party plugin flaws. It’s ironic that WordPress’s own auto‑update feature is the only thing that might have saved many sites, yet the company hasn’t clarified whether the push reaches installations that turned auto‑updates off.

What you’ll need to do now is verify your version, apply the patches, and consider adding a persistent cache if you haven’t already. Those steps will close the RCE path and reduce the attack surface.

Looking ahead, the industry will watch how quickly the exploit spreads now that the PoC is public. Will attackers find a way around the cache condition, or will the community’s rapid response keep the threat contained?

Competitive Landscape

While WordPress dominates the CMS market, other platforms have faced similar chain‑style vulnerabilities. The Joomla 4.2 incident in 2024 required a combination of a file‑upload bypass and a logic flaw to achieve remote code execution. Those cases illustrate a pattern: a single weakness rarely yields full compromise; attackers often need to stitch multiple issues together.

For WordPress, the wp2shell chain is the latest example of that trend. Vendors that provide managed WordPress hosting are already rolling out additional hardening layers. Many of those services include Web Application Firewalls that specifically deny batch‑endpoint traffic from unknown IP ranges. That approach mirrors what Cloudflare recommended for the cache mitigation.

Open‑source contributors are also stepping up. The community-maintained “WP‑Hardening” plugin now ships a rule set that disables the batch route by default. Though the plugin isn’t officially endorsed by WordPress, its rapid adoption shows how the ecosystem can self‑protect when a core issue surfaces.

Key Questions Remaining

Will the cache requirement become a de‑facto mitigation, or will attackers craft payloads that bypass Redis and Memcached? The answer will shape how many sites feel safe after adding a persistent cache.

Can the WordPress core team improve validation in WP_Query to prevent future type‑confusion vulnerabilities without breaking backward compatibility? That balance has always been tricky.

How will the auto‑update mechanism evolve now that a critical bug slipped through before the forced patch? Some administrators fear that turning off auto‑updates might leave them exposed to similar chains.

Will third‑party security scanners adopt the new authenticated checks quickly enough to protect sites that missed the initial forced update? Rapid7’s timeline suggests a two‑day window, but the broader market may move slower.

Answers to these questions will determine whether wp2shell remains an isolated incident or a catalyst for deeper changes in WordPress security practices.

Sources: The Hacker News, Rapid7

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.